[WEB SECURITY] Securing apache installation with PHP

Ryan Barnett rcbarnett at gmail.com
Thu May 19 15:46:36 EDT 2005


FYI - I am the Project Lead for the CIS Apache Benchmark document and
scoring tool (there's another title to add to my ever expanding
signature info...) The initial CIS Apache draft document was based on
my SANS GIAC Practical for the GCUX -
http://www.cgisecurity.com/lib/ryan_barnett_gcux_practical.html.

If anyone is using the CIS Apache Benchmark, I would be interested in
any feedback.  Additionally, you can send feedback to the
apache-feedback at cisecurity.org address.

Cheers.
-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GCUX, GSEC




On 5/19/05, Rochford, Paul <paul.rochford at hp.com> wrote:
> The PDF that comes with the Apache Benchmark from www.cisecurity.org has
> tons of info on obfuscating Apache banners and responses by modifying
> the httpd.h file, using different header set types for Emulation etc and
> others.
> 
> 
> Kind Regards,
> Paul Rochford
> 
> -----Original Message-----
> From: Ryan Barnett [mailto:rcbarnett at gmail.com]
> Sent: Thursday, May 19, 2005 4:15 PM
> To: Peter Motykowski
> Cc: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Securing apache installation with PHP
> 
> I wanted to give everyone a quick teaser on some Apache obfuscation
> info.
> 
> <Warning: PR Info>
> I am currently writing a book for Prentice-Hall/Addison-Wesley
> tentatively entitled "Web Intrusion Detection and Prevention with
> Apache".  In it, I discuss a little known (at least by me and anyone
> else I had presented this idea to) technique of altering not only the
> Server banner token info but also any of the other outbound headers.
> 
> Here is a small excerpt from my chapter -
> 
> ********************************************
> Banner Obfuscation with Apache's Output Filtering If you are not using
> Mod_Security, which by this point I cannot think of a reason why you
> wouldn't be using it, you can still accomplish this same task using the
> Apache 2.0 Output Filters.  We briefly discussed using the output
> filtering in chapter 8 when we needed to fix some of the Buggy Bank
> login html data returned to the client.  In this case, however, we need
> to alter the Server token of the HTTP Response Header instead of the
> html output.  This can be accomplished by the following output filter
> directives -
> 
> ExtFilterDefine fixbanner mode=output ftype=30 \ cmd="/bin/sed
> s|Apache.*$|Netscape-Enterprise/4\.1|g"
> 
> SetOutputFilter fixbanner
> 
> The first line defines our new filter is called, appropriately enough,
> "fixbanner."  Two important pieces of information to note with this
> ExtFilterDefine directive -
> 
> 1.  We are using "ftype=30" to tell Apache which filter hook to use.
> Here is a section of text from the Apache util_filter.h header file
> describing the AP_FTYPE_PROTOCOL type 30 -
> 
> /** These filters are used to handle the protocol between server * and
> client.  Examples are HTTP and POP. */    AP_FTYPE_PROTOCOL     = 30,
> 
> 2.  We are using the "sed" command to substitute the Apache banner
> information with our new data - Netscape-Enterprise/4.1.  In order for
> the sed command to work properly with Apache, we need to use an
> alternate substitution delimiter.  Normally, the forward slash character
> is used, however we are using the forward slash in our substitution text
> (/4.1) and the sed command was not working properly until I changed the
> delimiter.
> 
> ********************************************
> </Warning: PR Info>
> 
> This is just one example of levaraging Apache 2.0's Output Filtering
> capabilities.  Get creative as I am sure that others will be able to
> come up with other fun security uses for Output filtering :)
> 
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member SANS Instructor:
> Securing Apache GCIA, GCFA, GCIH, GCUX, GSEC
> 
> On 5/19/05, Peter Motykowski <pmotykowski at suncorp.coop> wrote:
> > My favorite obscurity layer of security in Apache is modifying the
> "ServerTokens" option.  The default setting dumps unnecessary version
> information into the server signature and looks something like this:
> >
> > Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7a PHP/5.0.4
> > mod_jk/1.2.10 Server at domain.com Port 80
> >
> > Change the setting to "ServerTokens Prod" and you get this:
> > Apache Server at domain.com Port 80
> >
> > No need to hand out more info than needed!
> >
> > # ServerTokens
> > # This directive configures what you return as the Server HTTP
> > response # Header. The default is 'Full' which sends information about
> 
> > the OS-Type # and compiled in modules.
> > # Set to one of:  Full | OS | Minor | Minimal | Major | Prod # where
> > Full conveys the most information, and Prod the least.
> >
> > Peter
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list